Re: [websec] Comments on draft-ietf-websec-key-pinning

[Ryan Sleevi]

On Thu, February 19, 2015 11:38 am, Jeffrey Walton wrote:
>  I don't believe this proposal - in its current form - will prove
>  effective in the canonical cases: (1) CA failure like Diginotar; and
>  (2) MitM attacks like Superfish. Are there other obvious cases I
>  missed that this control will be effective?
>
>  Jeff

You're factually wrong in cases like (1), and woefully misguided in cases
like (2) if you believe _any_ software, on a general purpose operating
system with 1-layer security principals (such as Windows and OS X), can
defend against a program with same-or-higher privileges.

That's like complaining a program with root access can interfere with your
usermode application. Well, yes, that's exactly correct, that's how it's
supposed to work.

If you can conceive a model where a super-user process would not be able
to circumvent, then congrats, you've solved one of the most vexatious
problems in computer security, and I know a dozen of anti-virus and
anti-malware companies that will let you name your price if only you share
your solution with them.

Consider the following ways that an application like Superfish could have
dealt with this (courtesy of a colleague far brighter than I)
- PTRACE_POKETEXT a code modification at runtime
- LD_PRELOAD a shim that intercepts strcmp and returns false for
"Strict-Transport-Security"
- Patch GTK+ (or equiv) so that the lock icon always appears on the omnibox
- Rebuild a version of the browser with the code to disable such pinning
commented out.

There is no sane world in which anything in the HPKP spec can or should
deal with this. It's doubly true and hopefully self-evident that "raising
the bar" is not at all an acceptable, or even reasonable, justification.
Malicious actors have every reason to escalate to more nefarious means
(whether for profit or interception), while legitimate actors get shut out
or, equally, burrow further into internals and cause worse experiences for
everyone.

I understand that you disagree. But you're also wrong if you think HPKP
can or should have dealt with this.

Best regards,
Ryan

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] Comments on draft-ietf-websec-key-pinning

[Jeffrey Walton]

> Ryan's previous post already covered the reasons for disabling pin
> validation for user-defined trust anchors, which still hold even though
> Superfish did their superfish thing.

That's not acceptable for two reasons. First, the user did not take an
administrative action. Second, pinning is a control we use to stop
that sort of thing.

We also don't have an audit trail because the IETF thought it was wise
for the user agents to be complicit in the cover up.

I don't believe this proposal - in its current form - will prove
effective in the canonical cases: (1) CA failure like Diginotar; and
(2) MitM attacks like Superfish. Are there other obvious cases I
missed that this control will be effective?

Jeff

On Thu, Feb 19, 2015 at 1:00 PM, Joseph Bonneau  wrote:
>
> On Thu, Feb 19, 2015 at 9:43 AM, Jeffrey Walton  wrote:
>>
>> Quod erat demonstratum:
>>
>> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
>>
>> This proposal needs to be revisited. It has serious defects.
>
>
> Ryan's previous post already covered the reasons for disabling pin
> validation for user-defined trust anchors, which still hold even though
> Superfish did their superfish thing.
>
> If the spec did not allow this behavior, the next Superfish would probably
> just configure local UAs to launch with pinning disabled completely. I don't
> think their recklessness would somehow stop short of overriding the
> browser's pinning policy.

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] Comments on draft-ietf-websec-key-pinning

[Joseph Bonneau]

On Thu, Feb 19, 2015 at 9:43 AM, Jeffrey Walton  wrote:

> Quod erat demonstratum:
>
> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
>
> This proposal needs to be revisited. It has serious defects.


Ryan's previous post already covered the reasons for disabling pin
validation for user-defined trust anchors, which still hold even though
Superfish did their superfish thing.

If the spec did not allow this behavior, the next Superfish would probably
just configure local UAs to launch with pinning disabled completely. I
don't think their recklessness would somehow stop short of overriding the
browser's pinning policy.
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] Comments on draft-ietf-websec-key-pinning

[Jeffrey Walton]

Quod erat demonstratum:
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

This proposal needs to be revisited. It has serious defects.

On Fri, Jan 2, 2015 at 12:21 AM, Jeffrey Walton  wrote:
> I'd like to share some comments on
> https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21.
>
> Pubic key pinning is an effective security control and I'm glad to see
> the IETF moving forward with it. And I'm especially thankful to Palmer
> and Sleevi for taking the time to put it together and shepherd it
> through the process.
>
> * (1) *
>
> The title "Public Key Pinning Extension for HTTP" seems overly broad
> and misses the mark a bit. The Abstract states its for User Agents,
> but the title does not narrow focus.
>
> There are different problem domains where public key pinning can be
> utilized. Painting with a broad brush, I categorize them as "the
> general problem" where no 'a priori' knowledge exists, and various
> specific "instance problems", where 'a priori' does exits and can be
> leveraged. An example of the general problem is browsers, and an
> example of the instance problem is any custom software deployed by an
> organization.
>
> Suggestion: change the title to "Trust on First Use Pinsets and
> Overrides for HTTP" or "Pinsets and Overrides for HTTP in User
> Agents".
>
> There are a few reasons for the suggestion. First, the abstract
> effectively states its. Second, the proposed standard is a TOFU scheme
> used for the general problem. Third, the Introduction recognizes the
> two classes of problems when it discusses the pre-shared keys. Fourth,
> the embodiment described in the proposed standard is not a preferred
> solution for the many instances of the specific problems. Fifth, the
> overrides need to be highlighted since they are an integral and high
> impact part of the proposed standard.
>
> Above, when I said the "… is not a preferred solution for the many
> instances of the specific problems", I'm referring to pinning as
> described in Gutmann's Engineering Security [1], OWASP [2] or by Moxie
> Marlinspike [3] and others.
>
> * (2) *
>
> I think the document could benefit from a more comprehensive
> discussion of the goals. The abstract states "… [some]
> man-in-the-middle attacks due to compromised Certification
> Authorities". That wet my appetite and I'd like to read more.
>
> I think it would be more helpful to state what is trying to be
> achieved in terms of both operational goals and security goals. For
> example, I don't see any operational goals, like business continuity
> behind a proxy. And "some man-in-the-middle attacks due to compromised
> Certification Authorities" seems to be a somewhat underspecifed
> security goal.
>
> * (3) *
>
> I think the document could benefit from an enumeration of the threats
> the security control is intended to defend against (or a normative
> reference to the "Pinning Threat Model" stated in [4]).
>
> Taken in its totality (pinning + overrides), its not clear to me what
> the proposed standard defends against.
>
> The Abstract mentions it could defend against "[some]
> man-in-the-middle attacks due to compromised Certification
> Authorities." Because we don't know what the control is intended to
> protect against, we can't measure its effectiveness.
>
> Additionally, when public key pinning is used in a more traditional
> sense (like Gutmann's Engineering Security [1], OWASP [2] or Moxie
> Marlinspike [3]), then pinning defends against some things the
> proposed standard appears to allow.
>
> The lack of clarity means there are some significant operational
> differences between customary expectations and the proposed standard.
> The misunderstood differences will clearly lead to confusion,
> unexpected results and a false sense of security.
>
> * (4) *
>
> From the 1. Introduction:
>
> Key pinning is a trust-on-first-use (TOFU) mechanism.
>
> That may be true for the general problem, but its completely untrue
> when 'a priori' knowledge exists for a specific instance of the
> problem. Gutmann's Engineering Security [1], OWASP [2] or Moxie
> Marlinspike [3] have been providing the counter examples for years.
>
> * (5) *
>
> From the 1. Introduction:
>
>A Pin is a relationship between a hostname and a cryptographic
>identity (in this document, 1 or more of the public keys in a chain
>of X.509 certificates).  Pin Validation is the process a UA performs
>to ensure that a host is in fact authenticated with its previously-
>established Pin.
>
> I was a little confused the first time I read this because I parsed it
> incorrectly. Here's how I parsed the first time: only the server or
> end-entity certificate has a hostname, so only that certificate can
> contribute a public key to a pinset. The other certificates
> (intermediate and ca) can't contribute to a pinset because they don't
> have a hostname.
>
> Perhaps